Developers may use open source software and or licensed software (first piece of code) in their product software (secondary pieces of code) for reasons such as: (i) to fast track development and go-to-market strategy; (ii) to benefit from extensively tested and widely used software packages, a piece of code, tools; (iii) for easy extendibility, plug-ability; (iv) to comply with standardization; and/or other reasons. It is also common to see developers of information technology (IT) companies to use a proprietary code, package, tool, in their products. Open source or proprietary tools may include a software license that defines the terms and conditions of use for an application and specifies the rights and obligations of the piece of code or software producer and of the end-user. Types of software licenses may include Proprietary license, GNU General Public License End User License Agreement (EULA), Workstation licenses, Concurrent use license and restrictions, and/or others.
Code scanning is made a part of a software development process to identify a product's code, for instance, in order to identify components contained in a product's code which may need proper licensing or other requirements. Existing code scanning tools apply static and/or dynamic techniques to analyze a code in accordance with the licenses being used and report to the user, as well as alert on a license violation. After scanning a code, existing tools may generate reports. For example, if dependent open source packages get embedded in a primary source tree after a build, like in a/lib directory, these tools gather all component sources together in a directory tree, e.g., including the open source packages, and initiate another toolchain against the dependent packages. Finally, these tools may generate a report for review of compliance. These tools detect keywords and request the scanner to read the line of code and report to reviewers who then need to further investigate, possibly manually. Note that if the code scanner is not careful enough he or she can easily miss an important part of the code review.
Existing code scanning and clearance processes try to analyze source codes and determine potential license violations, and help in performing post-mortem crash dump analysis. Some methods use analytics in order to automatically and remotely turn off code in mobile applications based on problematic context. However, the process of identifying product's code: (i) is still a time consuming task, (ii) prone to risks, (iii) is primarily focused on the current state and context of the code being scanned and the application that use the code, and (iv) does not take into consideration the developer cohort and context.
Challenges still exist in identifying primary and secondary set of codes in software or a product's code. If an undesired code is detected in an application, which for example, is connected with a licensing requirement, there is no mechanism to control the undesired code use in a programmatic way. Thus, there is a need for an improved system and method for smart code clearance assistance, for example, based on prediction, contextual analysis, and cognitive considerations.